Who can perform a CMMC self-assessment?

Organizations themselves can perform CMMC self-assessments, typically at Level 1 or as allowed by specific contracts. Internal teams use self-assessments to identify gaps before undergoing a third-party evaluation.

Can an organization self-certify for CMMC?

No. Under CMMC 2.0, only Certified Third-Party Assessment Organizations (C3PAOs) authorized by The Cyber AB can issue official certification. Self-assessments are for readiness and gap identification only.

What are the CMMC 2.0 levels and domains?

CMMC 2.0 has three levels: Level 1 (Foundational), Level 2 (Advanced), and Level 3 (Expert). Level 2 practices are organized across 14 domains covering areas like Access Control, Incident Response, Risk Management, and System Integrity.

Why are self-assessments important for CMMC readiness?

Self-assessments help organizations proactively identify gaps, prioritize remediation, validate technical and process controls, and reduce surprises during formal assessments. They are critical for building a sustainable, audit-ready cybersecurity program.

How can RSI Security help with CMMC preparation?

RSI Security provides end-to-end CMMC support including readiness assessments, gap analysis, SSP and POA&M development, vCISO advisory, and official Level 2 assessments as a Certified C3PAO, helping organizations move from self-assessment to certification efficiently.

Your CMMC Self-Assessment Checklist

Q: What is evaluated during a CMMC assessment?

During a CMMC assessment, evaluators review documentation, objective evidence, and perform interviews or demonstrations to confirm that cybersecurity practices are consistently implemented and aligned with NIST SP 800-171 or SP 800-172 standards.

RSI Security

2 weeks ago

Prepare for Certification With Clarity, Not Guesswork

CMMC 2.0 is reshaping how defense contractors protect sensitive data, and how they demonstrate compliance. For organizations across the Defense Industrial Base (DIB), the pressure to meet evolving requirements is increasing, especially as formal third-party assessments approach. A CMMC self-assessment removes much of the uncertainty from the process. Instead of reacting at the last minute, organizations can proactively evaluate their security posture, understand where they stand against CMMC requirements, and plan remediation with confidence.

In this guide, we explain how CMMC self-assessments fit into the broader certification process, what they can and cannot accomplish, and how to use them to uncover compliance gaps and accelerate readiness, without confusion or wasted effort.

What Is a CMMC Self-Assessment?

A CMMC self-assessment is an internal evaluation of your organization’s cybersecurity posture against the Cybersecurity Maturity Model Certification (CMMC) framework. It helps defense contractors determine whether required security practices are properly implemented before facing a formal assessment.

Under CMMC 2.0, self-assessments may be permitted for Level 1 organizations. However, they do not replace the independent third-party assessments required for Level 2 and Level 3 certification.

A self-assessment does not result in official certification. Instead, it provides internal visibility into your current controls, highlights compliance gaps, and identifies what must be addressed before an authorized third party conducts an assessment.

Can Organizations Self-Certify Under CMMC?

No. Under CMMC 2.0, organizations cannot self-certify.

Formal CMMC certification requires an assessment pathway defined by Department of Defense (DoD) rulemaking and enforced through contract language. While Level 1 organizations may be permitted to complete annual CMMC self-assessments, these reviews do not result in certification and are not valid for contracts that require Level 2 or Level 3 compliance.

A CMMC self-assessment is a readiness and gap-analysis tool, not an authorization mechanism. Organizations that confuse internal reviews with official credentials, or overstate their readiness, face significant risk once formal third-party audits begin.

Request a Free Consultation

Why CMMC Self-Assessments Still Matter

Even though they do not result in certification, CMMC self-assessments play a critical role in compliance preparation.

They enable organizations to proactively identify gaps against NIST SP 800-171 Rev. 2—the foundation of CMMC Level 2 requirements, while validating that policies, procedures, and technical controls are fully aligned. This early visibility reduces the risk of surprises during a formal assessment and helps teams allocate time and resources more effectively.

A CMMC self-assessment also provides a structured way to prioritize remediation, particularly when CMMC requirements are tied to near-term contract obligations.

When conducted correctly, self-assessments reduce uncertainty, improve audit readiness, and accelerate the path toward CMMC compliance.

What Is Evaluated During a CMMC Assessment?

CMMC does not reinvent cybersecurity, it formalizes the controls already required under NIST SP 800-171.

For CMMC Level 2, assessments are based on two key standards:

NIST SP 800-171 Rev. 2 – Defines the required security practices
NIST SP 800-171A – Provides guidance on how to evaluate those practices

During an assessment, the evaluator, whether an internal team performing a self-assessment or a Certified Third-Party Assessment Organization (C3PAO), examines three categories of evidence:

Documentation – Policies, procedures, System Security Plan (SSP), and Plan of Action and Milestones (POA&M)
Objective Evidence – Screenshots, system logs, access configurations, asset inventories
Interviews & Demonstrations – Confirmation that documented controls are consistently applied

Each practice is scored as:

Met – Fully implemented and supported by clear evidence
Not Met – Missing, incomplete, or inconsistently applied
Not Applicable – Out of scope with proper justification

Honest internal self-assessments are essential. Overstating readiness or inflating compliance can create significant risk when a formal assessment occurs.

Who Performs Official CMMC Assessments?

Official CMMC Level 2 assessments can only be conducted by Certified Third-Party Assessment Organizations (C3PAOs) authorized by The Cyber AB. These assessors follow strict guidelines to ensure independence, proper evidence handling, and impartiality.

If your organization works with an advisory or readiness partner, note that the same partner cannot serve as your assessor due to conflict-of-interest rules.

Always verify that any C3PAO is currently authorized and listed by The Cyber AB before engaging them for an assessment.

Understanding the CMMC 2.0 Framework

CMMC 2.0 streamlines the previous five-tier model into distinct levels of cybersecurity maturity, each aligned with the type of information your organization handles and the associated risk of your contracts.

Level 1 – Foundational

Designed for organizations managing Federal Contract Information (FCI) only
Includes 17 practices focused on basic cyber hygiene
Annual self-assessments are permitted

Level 2 – Advanced

Applies to most Defense Industrial Base (DIB) contractors handling Controlled Unclassified Information (CUI)
Aligns with 110 controls from NIST SP 800-171
Requires a third-party assessment, unless the contract allows self-attestation

Level 3 – Expert

Reserved for organizations supporting high-priority national security programs
Incorporates NIST SP 800-172 controls to defend against advanced persistent threats (APTs)
Assessed by government-led teams

For most contractors, CMMC Level 2 readiness is the primary goal, especially as more contracts are expected to include CMMC compliance requirements in 2026.

CMMC Domains and Practice Areas

CMMC Level 2 practices are organized into 14 cybersecurity domains, each covering critical aspects of information security for Defense Industrial Base (DIB) contractors. Key domains include:

Access Control
Audit and Accountability
Configuration Management
Identification and Authentication
Incident Response
Risk Management
System and Information Integrity
…and others

Each domain encompasses both technical safeguards and institutionalized processes. It is not enough to simply implement controls, you must also demonstrate that they are consistently applied and supported by repeatable documentation.

CMMC Self-Assessment Readiness Checklist

Use the following questions to guide your internal CMMC self-assessment:

If you are unsure about any item in the checklist, start your remediation efforts there to close gaps before a formal assessment.

Best Practice: Every finding in your self-assessment should be mapped to:

A specific CMMC control
The associated asset or system
A designated owner responsible for remediation

Following this approach ensures that your self-assessment is structured, actionable, and audit-ready.

CMMC Readiness Is a Journey, Not a Checkbox

A CMMC self-assessment is not a one-time task. It is part of an ongoing process that strengthens the long-term maturity of your cybersecurity program.

To achieve full CMMC readiness, your organization should focus on:

Clear, defensible documentation
Technical controls that accurately reflect your environment
Repeatable processes supported by consistent evidence
Remediation tracking and POA&Ms tied to deadlines
Independent assessment when required

CMMC compliance is more than passing an audit—it’s about establishing a sustainable cybersecurity posture that your team can maintain and defend under operational pressure.

How RSI Security Supports CMMC Preparation

RSI Security provides end-to-end support for organizations pursuing CMMC compliance, including:

CMMC readiness assessments aligned to NIST SP 800-171
Detailed gap analysis and prioritized remediation roadmaps
Assistance developing and validating System Security Plans (SSPs) and Plans of Action and Milestones (POA&Ms)
Ongoing vCISO advisory to strengthen governance and risk management
Conducting official Level 2 assessments as a Certified C3PAO

With RSI Security, your organization doesn’t just prepare, it prepares responsibly. By combining AI-powered insights with human-led guidance, we help your team navigate the CMMC process with clarity, from initial self-assessment through full certification.

Let’s Build a Defensible Path to CMMC Certification

CMMC requirements are increasingly appearing in contracts, and timelines for compliance are accelerating. Whether your organization needs help conducting a CMMC readiness review or preparing for a third-party assessment, RSI Security provides the expertise and guidance to move forward with confidence.

Next Steps:

Contact RSI Security to discuss tailored support for your compliance journey

With RSI Security, you’re not just preparing—you’re building a defensible, audit-ready cybersecurity program that stands up to formal assessments.